Study finds Windows more secure than Linux
Believe it or not, a Windows Web server is more secure than a similarly set-up Linux server, according to a study presented yesterday.
Seattle Times technology reporter
SAN FRANCISCO — Believe it or not, a Windows Web server is more secure than a similarly set-up Linux server, according to a study presented yesterday by two Florida researchers.
The researchers, appearing at the RSA Conference of computer-security professionals, discussed the findings in an event, "Security Showdown: Windows vs. Linux." One of them, a Linux fan, runs an open-source server at home; the other is a Microsoft enthusiast. They wanted to cut through the near-religious arguments about which system is better from a security standpoint.
"I actually was wrong. The results are very surprising, and there are going to be some people who are skeptical," said Richard Ford, a computer-science professor at the Florida Institute of Technology who favors Linux.
Their research could contribute to the debate about which system costs more for companies to operate. Linux costs less to acquire, but Microsoft is trying to convince buyers that its software is less expensive to run and manage.
The researchers said security management is a key factor in the cost of running any system. "We need a real factual comparison here," said Herbert Thompson, the other researcher. He is director of security research and training at Security Innovation, a company that provides security services and technology. "There's so much speculation on the Web, newsgroups, from certain presenters on an RSA stage, we need real solid facts."
They compared Windows Server 2003 and Red Hat Enterprise Server 3 running databases, scripting engines and Web servers (Microsoft's on one, the open source Apache on the other).
Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk — the period from when a vulnerability is first reported to when a patch is issued.
On average, the Windows setup had just over 30 days of risk versus 71 days for the Red Hat setup, their study found.
"That's a very surprising statistic, and I must say the first time I saw this statistic I thought you messed with my database," Ford said to Thompson. Their presentation started jokingly, with Ford reeling off Windows jabs and praising the virtues of freely shared software that's developed collaboratively over the Internet.
But they concluded with statistics showing that the Windows setup had a clear advantage over the Linux alternative.
The setups were hypothetical, however. Both were in the most basic configuration, an approach that some in the audience suggested may tilt the results in favor of Windows, which comes with more features.
Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance.
The presentation was a preview of a report they plan to issue in 30 days.
The future of ID: Authenticating the identity of computer users is a big topic at the conference, but Microsoft's Passport authentication system was missing in action.
Chairman Bill Gates stressed the importance of authentication and authorization technologies during his keynote address Tuesday but didn't mention Passport. Instead he pitched the capability of Microsoft servers that help network administrators manage digital identities.
A serious challenge to Passport was unveiled separately by RSA Security, the Bedford, Mass., company hosting the conference.
The company, which runs America Online's authentication system, announced it's making its SecurID program for consumers available in the third quarter.
A key feature is a device that saves users from having to create or remember secure passwords. The system uses a key fob that plugs into a computer USB port and generates a new password each time a user logs in. To authenticate themselves during an online session, users enter the serial number on the back of the device and the password or code that appears on a small LCD display.
RSA did not provide pricing information. But in demonstrating the system by logging in to a fictional online bank, the company's slides showed an annual fee of $9.95 a year.
The system is being tested now by E-Trade, Yahoo! and Sony Online Entertainment.
Check the checks: Credit-card companies are doing an effective job cracking down on fraud. But there are plenty of ways for identity thieves to steal from you, Gartner researcher Avivah Litan said.
Particularly at risk are the checking-account transaction systems. Litan said they haven't been targeted as much in the past so their security systems lag behind those of credit-card processors.
One step that banks are taking is to strengthen authentication methods. Litan predicted that by the end of 2007, around three-fourths of banks around the world will use something other than passwords.
"Passwords really don't cut it anymore," she said during an RSA media luncheon, which paved the way for RSA to announced its SecurID system.
On the government front: Government regulation of cyberspace may be needed to protect the nation's critical infrastructure, said Richard Clarke, former U.S. counterterrorism coordinator.
Clarke and Jamie Gorelick, a former deputy attorney general and a member of the 9-11 commission, appeared at RSA and called for action on anti-terrorism recommendations such as a national intelligence director.
They said government and private industry should do more together to secure the network infrastructure from a future attack. Clarke equated such an attack with other surprises the nation received in the last century — the Pearl Harbor attack and Sputnik — as well as the Sept. 11 attack.
"It shouldn't happen twice in one generation, and on the issue of cybersecurity we are forewarned," he said.
Brier Dudley: 206-515-5687 or firstname.lastname@example.org